diff --git a/site-cookbooks/5apps-xmpp_server/recipes/default.rb b/site-cookbooks/5apps-xmpp_server/recipes/default.rb
index 8c23687..7332052 100644
--- a/site-cookbooks/5apps-xmpp_server/recipes/default.rb
+++ b/site-cookbooks/5apps-xmpp_server/recipes/default.rb
@@ -22,6 +22,12 @@ end
 
 package "prosody"
 
+service "prosody" do
+  action [:enable]
+end
+
+include_recipe "5apps-xmpp_server::letsencrypt"
+
 # backup the data dir and the config files
 node.override["backup"]["archives"]["prosody"] = ["/var/lib/prosody", "/etc/prosody"]
 include_recipe "backup"
diff --git a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
new file mode 100644
index 0000000..0597eef
--- /dev/null
+++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
@@ -0,0 +1,41 @@
+# nginx config to generate a Let's Encrypt cert
+
+root_directory = "/var/www/xmpp.5apps.com"
+
+directory root_directory do
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  action :create
+end
+
+template "#{node['nginx']['dir']}/sites-available/xmpp.5apps.com" do
+  source 'nginx_conf_xmpp.5apps.com.erb'
+  owner 'www-data'
+  mode 0640
+  variables server_name:    'xmpp.5apps.com',
+            root_directory: root_directory,
+            ssl_cert:       "/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem",
+            ssl_key:        "/etc/letsencrypt/live/xmpp.5apps.com/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+execute "letsencrypt cert for xmpp.5apps.com" do
+  command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d xmpp.5apps.com -n"
+  cwd "/usr/local/certbot"
+  not_if { File.exist? "/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem" }
+  notifies :reload, "service[nginx]", :delayed
+  notifies :run, "execute[copy the tls cert to prosody folder]", :delayed
+end
+
+execute "copy the tls cert to prosody folder" do
+  action :nothing
+  command <<-EOF
+cp /etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem /var/lib/prosody/xmpp.5apps.com.crt
+cp /etc/letsencrypt/live/xmpp.5apps.com/privkey.pem /var/lib/prosody/xmpp.5apps.com.key
+  EOF
+  notifies :restart, "service[prosody]", :delayed
+end
+
+nginx_site 'xmpp.5apps.com' do
+  enable true
+end
diff --git a/site-cookbooks/5apps-xmpp_server/templates/default/nginx_conf_xmpp.5apps.com.erb b/site-cookbooks/5apps-xmpp_server/templates/default/nginx_conf_xmpp.5apps.com.erb
new file mode 100644
index 0000000..db0cfa5
--- /dev/null
+++ b/site-cookbooks/5apps-xmpp_server/templates/default/nginx_conf_xmpp.5apps.com.erb
@@ -0,0 +1,23 @@
+server {
+  listen 80; # For Let's Encrypt
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl spdy;
+  <% end -%>
+
+  server_name <%= @server_name %>;
+
+  # Used by Let's Encrypt (certbot in webroot mode)
+  location /.well-known {
+    root "<%= @root_directory %>";
+  }
+
+  location / {
+    return 200 'Nothing to see here';
+    add_header Content-Type text/plain;
+  }
+
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+  <% end -%>
+}